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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )KI Responsive to communication(s) filed on 16 June 2009 . 
2a )□ This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-24 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

Claim(s) is/are allowed. 

6) |EI Claim(s) 1^24 is/are rejected. 

7) Q Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 
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3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 



In view of the Pre- Appeal Brief filed on 06/16/2009, PROSECUTION IS HEREBY 
REOPENED. A new ground of rejection is set forth below. Claims 1-24 are pending and have 
been considered as follows. 



Examiner's Note 

1 . The Applicant appears to be attempting to invoke 35 U.S.C. 1 12 6 th paragraph in Claims 
7-12 by using "means-plus-function" language. However, the Examiner notes that the only 
"means" for performing these cited functions in the specification appears to be computer 
program modules. While the claims pass the first test of the three-prong test used to determine 
invocation of paragraph 6, since no other specific structural limitations are disclosed in the 
specification, the claims do not meet the other tests of the three-prong test. Therefore, 35 U.S.C. 
1 12 6 th paragraph has not been invoked when considering these claims below. 
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Claim Rejections - 35 USC §101 

2. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

3. Claims 1-12 & 19-24 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non- statutory subject matter. 

Claims 1-6 are rejected under 35 U.S.C. 101 based on Supreme Court precedent and 
recent Federal Circuit decisions, a 35 U.S.C § 101 process must (1) be tied to a particular 
machine or (2) transform underlying subject matter (such as an article or materials) to a different 
state or thing. In re Bilski et al, 88 USPQ 2d 1385 CAFC (2008); Diamond v. Diehr, 450 U.S. 
175, 184 (1981); Parker v. Flook, 437 U.S. 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 
63, 70 (1972); Cochrane v. Deener, 94 U.S. 780,787-88 (1876). 

An example of a method claim that would NOT qualify as a statutory process would be a 
claim that recited purely mental steps. Thus, to qualify as a § 101 statutory process, the claim 
should positively recite the particular machine to which it is tied, for example by identifying the 
apparatus that accomplishes the method steps, or positively recite the subject matter that is being 
transformed, for example by identifying the material that is being changed to a different state. 

Here, applicant's method steps are not tied to a particular machine and do not perform a 
transformation. Thus, the claims are non-statutory. 

The mere recitation of the machine in the preamble with an absence of a machine in the 
body of the claim fails to make the claim statutory under 35 USC 101 . Note the Board of Patent 
Appeals Informative Opinion Ex parte Langemyer et al. 
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Claims 7-12 & 19-24 recite two systems comprising what appears to be nothing more 
than computer program modules which is non-statutory subject matter under 35 U.S.C. 
101. Although Claims 7-12 recite "means for," the applicants' Specification and 
Drawings do not clearly disclose the scope of the "means for" performing the method 
steps claimed. That is, the "means" appear to be merely software. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 1-4, 7-10, 13-16, & 19-22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Vaidya (US-62791 13-B1) in view of Coleman et al. (US-20050037733-A1). 
Claims 1,7, 13, & 19: 

Vaidya discloses a method for maintaining security of a computer system, a system for 
maintaining computer security, a computer recording medium including computer executable 
code for maintaining security of a computer system, and a system for maintaining computer 
security comprising, 

"providing access to a database of signatures" (i.e. "the data repository 12 includes a 
database handler 26 which polls the data collectors 10 for intrusion detection data and 
stores the data for future reference") [column 5 lines 47-50]; 
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"receiving data" (i.e. "The remote network 24 is connected to the LAN 1 1 and is 
equipped with a data collector 10 which monitors work stations located on the remote 
network 24 and transmits network security data specific to the remote network back to 
the data repository 12. Both the remote network 24 and the LAN 1 1 are connected to the 
global communications network referred to as the Internet") [column 5 lines 39-46]; 

- "comparing the received data with the database of signatures" (i.e. "The attack signature 
profiles are adapted for detecting network data patterns associated with network 
intrusions which include unauthorized attempts to access network objects, unauthorized 
manipulation of network data, including data transport, alteration or deletion, and 
attempted delivery of malicious data packets capable of causing a malfunction in a 
network object") [column 5 lines 33-39]; 

but, Vaidya does not explicitly disclose, 

"determining an initial system certainty value for the computer system," although 
Coleman et al. do suggest a mistrust level for each wireless network device, as recited 
below; 

- "each signature including a signature certainty value," although Coleman et al. do suggest 
a confidence level with respect to a detected anomaly, as recited below; 

"increasing the system certainty value if the received data does not match a signature in 
the database," although Coleman et al. do suggest , as recited below; 
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"decreasing the system certainty value if the received data matches a signature in the 
database," although Coleman et al. do suggest incrementing/decrementing the mistrust 
level accordingly, where although the incrementing and decrementing are done on 
inverse conditions as compared to the applicant's claims (i.e. the prior art decrements 
whereas the applicant increments under the same condition), Coleman et al. do suggest 
that the calculation methodology can be modified; additionally, it is reasonable to expect 
one of ordinary skill in the art to view the incrementing/decrementing as a design 
decision so long as the incrementing is opposite of the decrementing in terms of the 
matched conditions; that is, incrementing the mistrust level can be for a match so long as 
decrementing the mistrust level is for a no match and vice versa, as recited below; 
"filtering the data based on the system certainty value and the signature certainty value of 
a signature matching the received data," although Coleman et al. do suggest utilizing both 
the confidence value and initial mistrust level to calculate a new mistrust level to 
determine the intrusion prevention measures to enact, as recited below; 
however, Coleman et al. do suggest , as recited below; 

". . .The RIAFE 86 maintains a running mistrust level for each wireless network device 
36, 38 and each WiAP 16, 16' in the WiNet 18 based on WiNet 18 traffic/event data 100 
received at CDE 76. Based on the confidence metric and the type of anomaly detected 
(e.g., received as decision data from the CDE 76), different attacks are assigned different 
weights. . .For example, a detected RF anomaly is assigned weight .alpha, whereas a 
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digital signature mismatch is assigned a different weight .beta.. The mistrust level of 
network devices 34, 36 and WiAPs 16, 16' is initialized to zero, then incremented and/or 
decremented by the RIAFE 86. . ." [page 6 para 102-103]; 

- ". . .The confidence level corresponding to the detected anomaly for that wireless network 
device. . ." [page 8 para 118]; 

- ". . .The RIAFE 86 maintains a running mistrust level for each wireless network device 
36, 38 and each WiAP 16, 16' in the WiNet 18 based on WiNet 18 traffic/event data 100 
received at CDE 76. Based on the confidence metric and the type of anomaly detected 
(e.g., received as decision data from the CDE 76), different attacks are assigned different 
weights. . .For example, a detected RF anomaly is assigned weight .alpha, whereas a 
digital signature mismatch is assigned a different weight .beta.. The mistrust level of 
network devices 34, 36 and WiAPs 16, 16' is initialized to zero, then incremented and/or 
decremented by the RIAFE 86. . .The mistrust level decrement value is calculated within 
the normal range of mistrust levels (e.g., M<4) using CDE 76 inputs is illustrated with 
the pseudo code in Table 4. However, the invention is not limited to this calculation and 
other calculations can also be used to practice the invention. . ." [page 6 para 102 & page 
8 para 124]; 

". . .Also, the confidence metric is quantitative. In one embodiment of the invention, the 
confidence level is a real number between zero and one, and is used by the RIAFE 86 as 
a multiplier. However, the present invention is not limited to such a confidence level and 
other confidence levels can also be used. The confidence level corresponding to the 
detected anomaly for that wireless network device is multiplied by the weighting factor 
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that is assigned to the corresponding detected anomaly, and the result is added to the 
existing mistrust level for the given wireless network device 36, 38 to arrive at the new 
mistrust level. A decrement value is also included. The mistrust level is adjusted 
according to Equation 9. M.sub.new=M+.alpha..beta.-M.sub.dec.sub..sub.~.sub.val, (9) 
where M.sub.new is a new mistrust level, M is an old mistrust level, a is a confidence 
level in a detected anomaly, .beta, is a weight assigned to the type of anomaly and, 
M. sub. dec. sub.. sub.--. sub .val is a mistrust level decrement value. . .Pro-active intrusion 
prevention is achieved by dynamic switching or cycling of these protection suites 
according to the running mistrust levels. If a mistrust level of three is reached, more 
drastic intrusion prevention measures are taken, including switching of the RF band, for 
example, for 802. 1 lb from 2.4 GHz to 5 GHz. This sends an alarm notification 102 to the 
network administrator 92. .." [page 8 para 118-1 19 & page 9 para 130]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "determining an initial system certainty value for the computer 
system" and "each signature including a signature certainty value" and "increasing the system 
certainty value if the received data does not match a signature in the database" and "decreasing 
the system certainty value if the received data matches a signature in the database" and "filtering 
the data based on the system certainty value and the signature certainty value of a signature 
matching the received data," in the invention as disclosed by Vaidya for the purposes of 
adjusting the level of trust for a particular device based on the matches of anomalies/signatures 
(i.e. does the received data match a known intrusion). 
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Claims 2, 8, 14, & 20: 

Vaidya and Coleman et al. disclose a method for maintaining security of a computer system, a 
system for maintaining computer security, a computer recording medium including computer 
executable code for maintaining security of a computer system, and a system for maintaining 
computer security, as in Claims 1,7, 13, & 19 above, their combination further disclosing, 
- "the data that does not match a signature in the database is forwarded to its destination" 

(i.e. "indicating which network objects are not permitted to access other network 

objects") [column 6 lines 34-35]. 
Claims 3, 9, 15, &21: 

Vaidya and Coleman ct al. disclose a method for maintaining security of a computer system, a 
system for maintaining computer security, a computer recording medium including computer 
executable code for maintaining security of a computer system, and a system for maintaining 
computer security, as in Claims 1,7, 13, & 19 above, but Vaidya does not explicitly disclose, 
"the increased or decreased certainty value becomes the initial system value," although 
Coleman et al. do suggest incrementing/decrementing the mistrust level accordingly, as 
recited below; 
however, Coleman et al. do disclose, 

". . .The RIAFE 86 maintains a running mistrust level for each wireless network device 
36, 38 and each WiAP 16, 16' in the WiNet 18 based on WiNet 18 traffic/event data 100 
received at CDE 76. Based on the confidence metric and the type of anomaly detected 
(e.g., received as decision data from the CDE 76), different attacks are assigned different 
weights. . .For example, a detected RF anomaly is assigned weight .alpha, whereas a 
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digital signature mismatch is assigned a different weight .beta.. The mistrust level of 
network devices 34, 36 and WiAPs 16, 16' is initialized to zero, then incremented and/or 
decremented by the RIAFE 86. . .The mistrust level decrement value is calculated within 
the normal range of mistrust levels (e.g., M<4) using CDE 76 inputs is illustrated with 
the pseudo code in Table 4. However, the invention is not limited to this calculation and 
other calculations can also be used to practice the invention. . ." [page 6 para 102 & page 
8 para 124]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the increased or decreased certainty value becomes the initial 
system value," in the invention as disclosed by Vaidya for the purposes of adjusting the level of 
trust for a particular device based on the matches of anomalies/signatures (i.e. does the received 
data match a known intrusion). 
Claims 4, 10, 16, & 22: 

Vaidya and Coleman et al. disclose a method for maintaining security of a computer system, a 
system for maintaining computer security, a computer recording medium including computer 
executable code for maintaining security of a computer system, and a system for maintaining 
computer security, as in Claims 1,7, 13, & 19 above, their combination further disclosing, 
"the data comprises a packet of data" (i.e. "data packets") [column 5 line 38]. 
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6. Claims 5, 11, 17, & 23 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vaidva (US-62791 13-B1) in view of Coleman et al. (US-20050037733-A1) in view of Nakaeet 
al(US-20040172557-Al). 
Claims 5, 11, 17, & 23: 

Vaidya and Coleman et al. disclose a method for maintaining security of a computer system, a 
system for maintaining computer security, a computer recording medium including computer 
executable code for maintaining security of a computer system, and a system for maintaining 
computer security, as in Claims 1, 7, 13, & 19 above, but their combination do not explicitly 
disclose, 

- "the filtering further comprises forwarding the data if the signature certainty value is less 
than the system certainty value," although Nakac ct al. do suggest the confidence level 
exceeding the threshold value, as recited below; 

"the filtering further comprises discarding the data if the signature certainty value is 
greater than the system certainty value," although Nakae et al. do suggest blocking access 
when the confidence does not exceed the threshold, as recited below; 
however, Nakae et al. do disclose, 

"After the confidence level c has exceeded the threshold value T, the IP packets of the 
access from the ordinary host 302 are guided to the server 401 on the internal network 4" 
[page 11 para 193 lines 16-19]; 

- "This causes input IP packets to be continuously guided to the decoy unit. Thereafter, 
when detecting an attack corresponding to "intrusion" or "destruction", the permanent 
access blocking is made active" [page 14 para 249 lines 7-1 1]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the filtering further comprises forwarding the data if the 
signature certainty value is less than the system certainty value" and "the filtering further 
comprises discarding the data if the signature certainty value is greater than the system certainty 
value," in the invention as disclosed by Vaidya and Coleman et al. for the purposes of providing 
a determination as to whether a requester is permitted or denied access to the network according 
to a level of trust. 

7. Claims 6, 12, 18, & 24 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Vaidya (US-62791 13-B1) in view of Coleman et al. (US-20050037733-A1) in view of Nakaeet 
al (US-20040172557-A1) in view of Moran (US-70321 14-B1). 
Claims 6, 12, 18, & 24: 

Vaidya. Coleman et al.. and Nakae et al. disclose a method for maintaining security of a 
computer system, a system for maintaining computer security, a computer recording medium 
including computer executable code for maintaining security of a computer system, and a system 
for maintaining computer security, as in Claims 1,7, 13, & 19 above, but their combination do 
not explicitly disclose, 

"the step of forwarding further comprises generating a message log to indicate that data 
matching a signature was forwarded," although Moran does suggest an event record, as 
recited below; 
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however, Moran does disclose, 

- "an intrusion detection system comprises a mechanism for checking timestamps, 

configured to identify backward and forward time steps in a log file, filter out expected 
time steps, correlate them with other events, and assign a suspicion value to a record 
associated with an event" [column 4 lines 28-33]; 
Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant's invention to include, "the step of forwarding further comprises generating a message 
log to indicate that data matching a signature was forwarded," in the invention as disclosed by 
Vaidya, Coleman et al., and Nakae et al. for the purposes of recording timed information for 
future further analysis. 



Response to Arguments 

8. Applicant's arguments, see Pre- Appeal Request, filed 06/16/2009, with respect to the 
rejection(s) of claim(s) 1-24 under 35 U.S.C. 103(a) have been fully considered and are 
persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, 
a new ground(s) of rejection is made in view of newly found prior art in combination with 
previously applied prior art. 
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Conclusion 

9. The prior art made of record and not relied upon is considered pertinent to the applicant's 
disclosure. 

a. Wiley et al. (US-20050097339-A1) - method and system for addressing intrusion 
attacks on a computer system; 

b. Valdes et al. (US 20020059078 Al) - probabilistic alert correlation; 

c. Cuddihy et al. (US-5799148) - system and method for estimating a measure of 
confidence in a match generated from a case-based reasoning system; 

10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Examiner Oscar Louie whose telephone number is 571-270-1684. 
The examiner can normally be reached Monday through Thursday from 7:30 AM to 4:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami, can be reached at 571-272-4195. The fax phone number for 
Formal or Official faxes to Technology Center 2400 is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
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PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/OSCAR A LOUIE/ 
12/31/2009 



/Eleni A Shiferaw/ 

Primary Examiner, Art Unit 2436 



